Re: MS Terminal Services open to the world

From: Don Voss (voss@albany.edu)
Date: 01/10/03

  • Next message: Pen-Test: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
    From: "Don Voss" <voss@albany.edu>
    To: "Ralph Los" <RLos@enteredge.com>, "'Pen-test@securityfocus.com'" <Pen-test@securityfocus.com>
    Date: Fri, 10 Jan 2003 13:13:11 -0500
    
    

    Ralph,

    I am not sure if this is the "creative" method you were thinking of ..
    but facts, facts, and more facts would be my choice.

    You have a broad area to cover. Do you convince them that none of their
    material should face the internet ?.. as in no firewall [ my assumption
    of no firewall .. . if the TS enabled servers are directly facing net.]
    Thus the exposed TS material is just one of the risks they are allowing.

    or

    Do you show detailed recorded examples of TS exploitation ?

    Which leads me to .. is there documentation of TS material being
    exploited and how ? I do not know about that so I searched google a bit,
    jumped to securityfocus, searched their vulnerabilities database, under
    microsoft it showed 2 TSAC activeX issues .. which I am not qualified to
    comment on. links below.

    Microsoft TSAC ActiveX Control

    http://online.securityfocus.com/bid/5952

    http://online.securityfocus.com/bid/5554

    At the link below, quick glance, there seems to be much info regarding
    terminal services functionality.

    http://www.ntsecurity.net/Articles/Index.cfm?TopicID=800

    and so on.

    Of course .. If you are skilled enough and can get the approval to try ..
    exploit it yourself. Setup a prove-able test .. get somewhere secure ..
    modify a agreed upon parameter / setting. How could they argue with that
    ?

    [ I do not know if or how to if it is possible. I am just offering
    logical "proof" options. ]

    You may find the terminal services [ with version control, current
    patches, etc] ok. Then the facts do not support your warnings, right?

    Even so there seems to be enough evidence of other risks, almost to the
    point of common sense, not to have servers / services / clients exposed
    directly to the net. A inventory of what they have running facing the net
    and a list of exploits against those services/OS's/clients .. with some
    cost liability numbers should be sobering.

    That said .. it may not sway them .. here at the university .. the only
    device , as far as I know, they have purchased is a packetteer used to
    throttle back the dorms from file sharing outboud congestion. Politics
    and money are a big part of these decisions. At least you can give them
    hard data to add to the mix.

    regards,
    /don

    On 10 Jan 2003 at 10:09, Ralph Los wrote:

    > Hello all,
    >
    > I've got a pretty good client of mine who absolutely refuses to heed my
    > warnings about keeping Terminal Services open to the world. They rely on
    > Windows passwords and figure that's strong enough for all their servers
    > (management). Now I'm given the task of auditing their
    > security/infrastructure and would like to come up some creative ways to
    > back up my point about MS TS open to the Internet being a bad idea.
    >
    > Any thoughts or input is appreciated.
    >
    > Ralph

    _____________________________________________
    Don Voss voss@albany.edu
    Sr. Programmer Analyst
    Geography & Planning Department
    The University at Albany, SUNY
    Albany, NY, 12222-0100

    Jazz music: an intensified feeling of nonchalance.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/



    Relevant Pages

    • RE: Secure / Encrypt Terminal Services
      ... There was a pretty decent paper on securityfocus about 2 months ago ... encryption, and I believe zebedee to work fine for terminal services. ... (gotta love security made insecure by politics) ...
      (Focus-Microsoft)
    • W2K Terminal Services pwd cracker
      ... W2K Terminal Services pwd cracker ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: W2K Terminal Services pwd cracker
      ... W2K Terminal Services pwd cracker ... > Does anyone know of a password cracker for Win2K ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • Re: Terminal Services Holes
      ... TCP/IP addresses of terminal services connections (even before the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)